7.242. sudo

Updated sudo packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The sudo (super user do) utility allows system administrators to give certain users the ability to run commands as root.

Note

The sudo package has been upgraded to upstream version 1.8.6p3, which provides a number of bug fixes and enhancements over the previous version. The following list includes highlights, important fixes, or notable enhancements:
  • Plug-in API has been added, provided by the new sudo-devel subpackage.
  • New /etc/sudo.conf configuration file for the sudo utility front-end configuration (plug-in path, coredumps, debugging and so on) has been added.
  • It is possible to specify the sudoer's path, UID, GID, and file mode as options to the plug-in in the /etc/sudo.conf file.
  • Support for using the System Security Services Daemon (SSSD) as a source of sudoers data has been provided.
  • The -D flag in the sudo utility has been replaced with a more general debugging framework that is configured in the /etc/sudo.conf file.
  • The deprecated noexec_file sudoers option is no longer supported.
  • The noexec functionality has been moved out of the sudoers policy plug-in and into the sudo utility front end, which matches the behavior documented in the plug-in writer's guide. As a result, the path to the /user/libexec/sudo_noexec.so file is now specified in the /etc/sudo.conf file instead of the /etc/sudoers file.
  • If the user fails to authenticate, and the user's executed command is rejected by the rules defined in the sudoers file, the command now allowed error message is now logged instead of the previously used <N> incorrect password attempts. Likewise, the mail_no_perms sudoers option now takes precedence over the mail_badpass option.
  • If the user is a member of the exempt group in the sudoers file, he will no longer be prompted for a password even if the -k option is specified with the executed command. This makes the sudo -k command consistent with the behavior one would get if running the sudo -k command immediately before executing another command.
  • If the user specifies a group via the sudo utility's -g option that matches the target user's group in the password database, it is now allowed even if no groups are present in the Runas_Spec.
  • A group ID (%#gid) can now be specified in the User_List or Runas_List files. Likewise, for non-Unix groups the syntax is %:#gid.
  • The visudo utility now fixes the mode on the sudoers file even if no changes are made, unless the -f option is specified.
(BZ#759480)

Bug fixes

BZ#823993
The controlling tty of a suspended process was not saved by the sudo utility. Thus, the code handling the resume operation could not restore it correctly. Consequently, resume was not enabled to a suspended process run through the sudo utility. This bug has been fixed by rebasing to a new upstream version. As a result, suspending and resuming works correctly again.
BZ#840980
A change in the internal execution method of commands in the sudo utility was the cause of creating a new process and executing the command from there. To fix this bug, new defaults option was added to restore the old behavior. Since the execution method has been implemented to correctly handle PAM session handling, I/O logging, SELinux support, and the plug-in policy close functionality, these features do not work correctly if the newly-implemented option is used. To apply this option, add the following line to the /etc/sudoers file:
Defaults cmnd_no_wait
As a result, if the newly-implemented option is used, commands will be executed directly by the sudo utility.
BZ#836242
The sudo utility set the core dump size limit to 0 to prevent the possibility of exposing the user password in the core dump file in case of an unexpected termination. However, this limit was not reset to the previous state before executing a command and the core dump size hard limit of a child process was eventually set to 0. Consequently, it was not possible to set the core dump size limit by processes run through the sudo utility. This bug was fixed by rebasing to a new upstream version; thus, setting the core dump size limit by processes run through the sudo utility works as expected.
BZ#804123
When initializing the global variable holding the PAM (Pluggable Authentication Modules) handle from a child process, which had a separate address space, a different PAM handle was passed to PAM API functions where the same handle was supposed to be used. Thus, the initialization had no effect on the parent's PAM handle when the pam_end_sessions() function was called. As a consequence, dependent modules could fail to iniciate at session close in order to release resources or make important administrative changes. This bug has been fixed by rebasing to a newer upstream version, which uses the PAM API correctly (for example, initializes one PAM handle and uses it in all related PAM API function calls). As a result, PAM sessions are now closed correctly.
BZ#860397
Incorrect file permissions on the /etc/sudo-ldap.conf file and missing examples in the same file led to an inconsistency with documentation provided by Red Hat. With this update, file permissions have been corrected and example configuration lines have been added. As a result, /etc/sudo-ldap.conf is now consistent with the documentation.
BZ#844691
When the sudo utility set up the environment in which it ran a command, it reset the value of the RLIMIT_NPROC resource limit to the parents value of this limit if both the soft (current) and hard (maximum) values of RLIMIT_NPROC were not limited. An upstream patch has been provided to address this bug and RLIMIT_NPROC can now be set to "unlimited".
BZ#879675
Due to different parsing rules for comments in the /etc/ldap.conf file, the hash ('#') character could not be used as part of a configuration value, for example in a password. It was understood as a beginning of a comment and everything following the # character was ignored. Now, the parser has been fixed to interpret the # character as a beginning of a comment only if it is at the beginning of a line. As a result, the '#' character can be used as part of a password, or any other value if needed.
BZ#872740
White space characters included in command arguments were not escaped before being passed to the specified command. As a consequence, incorrect arguments were passed to the specified command. This bug was fixed by rebasing to a new upstream version where the escape of command arguments is performed correctly. As a result, command arguments specified on the command line are passed to the command as expected.

Enhancements

BZ#789937
The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or via LDAP (Lightweight Directory Access Protocol). Previously, when a match was found in the first database of sudoers entries, the look-up operation still continued in other databases. In Red Hat Enterprise Linux 6.4, an option has been added to the /etc/nsswitch.conf file that allows users to specify a database after which a match of the sudoer's entry is sufficient. This eliminates the need to query any other databases; thus improving the performance of sudoer's entry look up in large environments. This behavior is not enabled by default and must be configured by adding the [SUCCESS=return] string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried.
BZ#846117
This update improves sudo documentation in the section describing wildcard usage, describing what unintended consequences a wildcard character used in the command argument can have.
Users of sudo should upgrade to these updated packages, which fix these bugs and add these enhancements.